Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

wiplash writes "Google Chrome appears to store at least some information related to, and including, the sites that you have visited when browsing in Incognito mode. Lewis Thompson outlines a set of steps you can follow to confirm whether you are affected. He has apparently reported this to Google, but no response has yet been received."

WTF. This is obviously a browser bug. What on Earth does Google have to gain by letting the browser recall your zoom setting on the client-side? Stop trolling, please!

Google hasn't replied, but I assume that's because the stupid article author didn't even file a bug against this. I'm a complete nobody in Chrome development, but even I has done this in 2 minutes, an equivalent time period of composing a well formulated e-mail and sending it to Google.

The article shows that a per-site setting (page zoom) persists between incognito sessions. That's all. No mention or even speculation that Google is storing that information on their servers.

That said, Incognito was never meant to be private browsing from Google. Your search queries still get send to your search provider (imagine that!) and auto-suggest will still work. What Incognito mode is for is to prevent your wife/brother/sister/boss from seeing the sites you use. This has been discussed to death already.

Are you sure about that? Your voice communications are going over the wire unencrypted. Well, at least until it hits a digital circuit, but even that's not "safe", it's just obfuscated from sticking a speaker on the line.

They could be listening to some or all. And there's been enough information about the gov't doing it. You shouldn't believe that there are up to two listeners on any phone call. (Lowered to one when you're talking to the wife. She never listens to you, and

So, maybe Im just being an apologist here...
But while I did verify this, and can see some disk writes in ProcMon to a tmp file (which seems to be deleted on close), is it asking too much to have a little more info before running off and declaring it to be some additional nefarious way to collect info? Any packet sniffing, or even seeing if it can be replicated in chromium or Iron? Any effort to see ANYTHING AT ALL of whats going on, or whether that data is stored anywhere except the "magnify websites to this level" database?

I mean come on, I know Google is the new "cool to hate" company, but a 1 paragraph blog entry with NO technical details whatsoever makes REALLY poor outrage material.

Yes, it's the basis of their business model. They need all that information to serve their advertisers better. This means they're also constantly looking for new ways to get even more and more information. Even if some of their services currently aren't related to advertising (like their free DNS service), there's no guarantee that they cannot be in the future. They're awfully easy to integrate later when they have grown, and with publicly traded companies you never know what is going to happen in the future. Especially when they're looking for new ways to generate advertising revenue.

Notice that all of their services are related to obtaining information, usage statistics, datamining and serving advertisement. YouTube too is a great resource for advertisers, as soon as online video matures a little bit more (though they're already working on it).

Not that it's a bad business model - but if you value your privacy, you might want to consider forgetting freeloading for a moment and buying software. You know, the business model that is based on customers paying for the software instead of selling their soul for advertisers. Google is the new adware business, they have just hidden it better.

I'm not too worried about my privacy when it comes to corporations. Partly, it's because they already have a lot of data on me. Partly, it's because if they abuse it, I have at least a possible method of recourse.

What I am worried about is the government getting their hands on such data. Now that's a danger that far exceeds what a corporation can do. And, you have no method of recourse against the government.

Look at it this way: The worst a corporation could do is deny me a loan, because I buy a lot of junk online, and that means (by whatever twisted logic corporations employ) I'd be more likely to default on it.

The worst a government can do is pull me over for a traffic violation, and throw me into prison without a trial because the routine check brought up the fact that I frequent sites that advocate extreme or even locally unpopular views.

Which all leads to why I try to keep as anonymous as practically possible. Corporations don't have adequate data retention (or deletion) policy for my needs. And they cave easily to the government. Google is only slightly better in that they explicitly state how long they'll keep the data. But until every corporation adopts far more restrictive data retention policies whether by government regulation or by public outcry, I'm going to keep data on me from leaking out as much as possible.

And before anybody points out the obvious contradiction above, I'm just going to say that entities can work for you sometimes, and against you sometimes, neither of which precludes them from doing the complete opposite at the same time.

I was going to reply with comments related to the Constitution(specifically the Bill of Rights), how the court system works, the various court cases the Supreme Court has ruled on regarding protests and freedom of speech, and other facets of how the law protects you from government abuse related to freedom of speech and protest/demonstrations, but then I remembered that this is Slashdot, and the government is always bad, and corporations are always better than the government.

I sometimes forget that I am in the minority around here when it comes to trust of the government vs. trust of corporations(I trust the government more than I trust corporations, though I have a healthy wish for privacy). I am one of those that thinks Orwell is overrated(I like the stories, but I don't see them happening), with Huxley's Brave New World being my dystopian present/future to be feared.

I think you're missing the GPs point. Although many around here might well hold the beliefs you allude to (I don't think its a significant population on Slashdot, as victimized as you might feel by them), the GPs point is that the cost of betrayal by the Government far exceeds the cost of betrayal by a Corporation. In fact, the worst a Corporation can do do you is really limited by what the Government will allow it to do - if you are really so afraid of what a Corporation can do to you, you are implicitly afraid of what the Government will let it do.

Quite. Here in the UK the convention is that no Parliament may be bound by its predecessors, with the actual effect that we can change our "constitution" with a simple majority vote in the Commons. Considering the power of the party whips, and the tendency to one-party rule, we do effectively have an elected dictator.

Less so this time round, with the coalition, but even they have shown they can change the constitution with a simple majority vote and are willing to do so without an explicit mandate.

OK, I'm from one of your colonies, so I'm not 100% up to speed with the UK's system, but can't the Queen dissolve the government in extreme circumstances (at least in theory)? I'm pretty sure she can actually dissolve our government, which IMO is quite a sensible precaution to have in place....

That's the point -- the Queen can't just step in because she doesn't like the current government, it's only if the shit really hits the fan, as a last resort. For example, if an elected government tried to turn itself into a perpetual dictatorship without the support of the public, she could go in and kick some ass.

" Partly, it's because if they abuse it, I have at least a possible method of recourse."then"Now that's a danger that far exceeds what a corporation can do. And, you have no method of recourse against the government."

WOW. That is completely backwards.

You have a great many avenues of recourse against the government then you have against any corporation.

Their DNS system is related to advertising. It allows them to tie a specific IP address to user activity which can be used to build a demographic profile useful to marketers and advertisers. This can be kept anonymous and aggregated or they can correlate the IP address with its use on existing Google accounts to merge in additional info like gender and approximate location in the world.

Of course you don't know it for sure, but if they did that they would be risking their reputation too. It would be stupid to risk their main business just to get that extra one dollar. In the long run it would cost them a lot more. At most it would be an opt-in like thing.

I'm not saying all software you buy is like that, but since the base monetarization method is completely different, theres a much larger change for that. All of that is of course hidden in EULA or privacy policy.

You're not exactly selling your soul. You are only licensing it. Hope your DRM is up to date.

The problem is that nothing is stopping Google from copying your information between devices, unlike DRM.
To be honest, I'd love to have my details protected by some DRM - every time a company makes any use of it, they have to contact my server first and ask for a one-time permission.
Doesn't seem too likely, unfortunately.

Do you believe every piece of FUD that comes out of sopssa's mouth? By default yes, everything typed into the address bar is sent to google which is how their autocomplete for searches works. If you just don't want it sent to google, change your default search provider. if you don't want it sent anywhere simply uncheck 'use a suggestion service to help complete searches and URLs typed in the address bar' in the Under the Hood tab of Options.

What I noticed recently was when I clicked on the final "clear browser data" button, Google Chrome would make a http request or two back to Google. Not sure why this happen. I don't have "send usage statistics and crash reports" enabled, but I do have show suggestions, use suggestion service dns prefetching, phishing protection enabled.

Firefox was a little more polite about it, but it's still pretty deep in there. I was setting up an embedded machine with Firefox (local web browsing, no Internet connection). I was really surprised how many things were in there on a clean install of it. It's not just url completion. There's "safe browsing", SSL cert verification, updates.. Well, just do an about:config and search for http:/// [http] and then https://./ [.] There ar

Um, yes, and AFAIK you have been able since almost the beginning. Wrench-->options-->under the hood --> "Use suggestion service...".

Just for the sake of putting this stupid argument to rest, I tested it with wireshark, and yes, unchecking that box immediately causes chrome to cease sending URLs to google. In fact, with all the boxes unchecked, it appears that the only traffic sent is directly to the websites that you are fetching.

I like how your "yet" implies that that hasnt been there from practically the start, though, or that you cant just use chromium if you are really that worried about it.... really some quality FUD there.

[...]Each time Firefox checks in with the third party provider to download a new blacklist, Non-Personal Information and Potentially Personal Information, such as the information that the browser sends every time you visit a website as well as the version number of the blacklist on your system, is sent to the third party provider. In order to safeguard your privacy, Firefox will not transmit the complete URL of web pages that you visit to anyone. While it is possible that a third party service provider may determine the actual URL from the hashed URL sent, [...]

And they do this by storing some information on *my* PC where they cannot reach it? What's the point exactly? The freakin info is stored in the local preferences. Yes, it's a - relatively harmless - side channel and no this is not Google being evil.

I'm not following you. Why can't they reach the info on your PC that is put there by their program? Your computer is free storage for them. It may not be reachable for most of the time but Chrome will tell them when it is available.

I think that the clearing of private data in Firefox is a bit counter-productive, because deleting from SQLite databases merely marks the rows' storage space as being reclaimable within the file.

I once cleared private data for a day when my places.sqlite was around 70 MiB, then checked the file size and saw that it hadn't even changed by one byte. It wouldn't surprise me if the URLs were still in there -- all of them, intact, until you visit other pages to make Firefox overwrite the reclaimable pages in pla

Still, truncating the file makes recovery much more difficult, and makes it so that any process can reclaim it, not just Firefox. Fortunately, it's not that difficult to do it yourself -- just run VACUUM in sqlite.

tried it in 5.0.375.38 beta. my hypothesis is that he had other incognito windows open as well (probably with porn in them) that kept the incognito session going while he was open and closing the elephants.com window.

And people, please. What happened to "never ascribe to malice"? Chromium is an open-source project -- if you have to, fix it yourself, I have little doubt that patch would make it into the official Google Chrome.

So, since the example in TFA didn't restart Chrome between incognito windows, I decided to see what happened when I followed the steps with "4.5 Exit chrome completely, then restart", and can confirm that even when Chrome fully exits and is restarted, it remembers the zoom level used in a URL only ever visited in an incognito window.

'course, it *could* be storing a hash (salted or not) of the domain name and not the domain name itself. The test suggested in TFA is pretty poor, and doesn't prove anything about whether the actual domain name is kept.

Here's the bug in question, filed about 2 weeks ago:http://code.google.com/p/chromium/issues/detail?id=43107 [google.com]
Seems like someone looked at it, prioritized and classified it (eg pri-2, internals-cookies). What's the big deal? It's just a bug that needs to get fixed, not a huge conspiracy by Google.

There are many ways to finger print something that are not reversible. For instance, this is just page viewing preference data about a site you visited. What if it takes a hash of the url and uses that to store settings like current zoom and scroll location. There is almost no way this violates the idea of 'incognito' mode.

TFA only mentions zoom levels as being stored -- not any other info from users' porn-mode browsing session, just zoom levels. Chrome recently began saving users' zoom levels (if I'm not mistaken) so that pretty much explains that (while conveniently also accounting for why users of earlier versions may not experiencing this phenomenon as well.)
We're all waiting for google to slip up monumentally (or "pull a facebook," if you will,) but unfortunately we'll have to wait another day.

From the google bug tracker: "we (the UI design team) made the choice to purposefully remember incognito zoom levels."

Sounds like the intentionally gutted the security of the incognito mode for the zoom levels... Its one thing if its an oversight, but to do it intentionally reveals a total disregard for the privacy someone using incognito expects.

You're missing the point. If Chrome records zoom levels for particular sites, each such record is proof by implication that you visited the site. The Incognito mode is supposed to prevent recording of what sites you visit.

Google is a marketing/sales/advertising company. They can only be trusted to a certain point. Their motives are not those of a generous and altruistic organization. Their motives are consistent with those of the type of business they are. It is as simple as that.

Be aware of the version you're using. Chrome v4 *may* not save the zoom level, so it wouldn't show it anyway. I'm on the dev channel, and thus am using the newly-released v6, and it's definitely reproducible.

Submitted by rcamans on Friday October 23 2009, @01:21PMrcamans writes "Visit a bunch of sites in Chrome incognito, and then look at your history in IE 7. Oh My God! A few of the sites you did not want in history are in IE history? How did they get there? A nasty in Windows XP OS. Oh, man...These sites do not show in Opera history, Safari history, Chrome history, or FIrefox history. So maybe it has to do with IE integration into the Windows OS. Do not trust Chrome incognito until this bug is fixed. If it can be fixed.

I have the Chrome 5.0.375.38 beta from Ubuntu 10.04. Browsing Incognito appears to still change a number of files on disk, though I haven't investigated what is changed or stored. Finding the zoom problem is straightforward, though:

Per-site zoom levels are stored in a Preferences file (.config/google-chrome/Default/Preferences for me) in a "per_host_zoom_levels" section. It appears that the key is the domain name and the value is the zoom level. These seem to be saved when Chrome exits and, at least in my v

Chrome is very likely to hold the DOM of visited pages in the cache so that f.e. hitting the back button will quickly render the previous page. That does not necessarily mean that the information gets persisted on the hard drive or is available to other pages. On the other hand it's not unlikely that the information sometimes gets paged out to the hard drive and persists until it gets overwritten.

I've noticed that previously visited sites still flash up as suggestions immediately after purging the history. These seems to go away after a page refresh. There's probably some caching going on that isn't deleted correctly.

How else do you think Chrome gets to be so fast? The Chocolate Factory knows your entire browsing history so it just pre-loads your favourite pages before you even realize that you want them. Why shouldn't it keep track of your favourite kinds of porn, offshore gambling web sites, and that hotmail.com email address that you thought you were keeping to yourself?

I don't get the flap over the wifi collection thing. It was publicly open wifi stuff they were collecting. If I stick a bullhorn out my window and I yell, I'm eating breakfast now, I'm showering now, I'm going to work, is it reasonable to reserve the right to be offended when people know about the particulars of my day?

This and many other things about privacy concern me. I work at MIT and google and other big companies hang around, and both within academia and industry there are not enough people advocating privacy and information ownership. Trust me, or not, but Big companies lust over personal information.

This isn't even an issue of trust. It's not a question of whether Google is stealing information about you, or even privacy. It's an error or a possible bug wherein the mode where the browser is in essentially *no history* mode isn't working 100% w/o history.

There's always Chromium; I run it on Ubuntu [hyperlogos.org]. For Windows there's SRWare Iron [srware.net]. I'm not sure which is the preferred build for OSX; perhaps Crossover Chromium [codeweavers.com]. TFA doesn't say whether Chromium is affected. Some comments under TFA state that the effect lasts only until Chrome is restarted, suggesting that the information is stored only in the memory cache.